Implementing Host and Software Security PDF
Document Details
Uploaded by DelectableBowenite3598
Tags
Summary
This document provides an overview of host and software security, focusing on implementing host security, cloud and virtualization security, mobile device security, and incorporating security into the software development lifecycle. It discusses various aspects of these topics including hardening, operating system security, and hardware and firmware security in detail.
Full Transcript
Implementing Host and Software Security Implement Host Security Implement Cloud and Virtualization Security Implement Mobile Device Security Incorporate Security in the Software Development Lifecycle Copyright (c) 2018 CompTIA Properties, LLC. Al...
Implementing Host and Software Security Implement Host Security Implement Cloud and Virtualization Security Implement Mobile Device Security Incorporate Security in the Software Development Lifecycle Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 1 Hardening The security technique of altering a system's configuration to close vulnerabilities and protect the system against attack. Typically implemented so systems conform to security policy. Many different techniques are available. Hardening may also restrict a system's capabilities. Hardening must be balanced against accessibility. Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 2 Operating System Security Each OS has unique vulnerabilities for attackers to exploit. Different OS types and OSes from different vendors have their own weaknesses. Vendors try to correct vulnerabilities while attackers try to exploit them. Stay up-to-date with security info posted by vendors and other references. Different types of OSes: Network Server Workstation Appliance Mobile Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 3 Operating System Hardening Techniques Implement a principle of least functionality. Disable unnecessary network ports. Disable unnecessary services. Take advantage of secure configurations. Disable default accounts. Force users to change default passwords. Implement a patch management service. Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 4 Trusted Computing Base Trusted computing base: The hardware, firmware, and software component responsible for ensuring computer system security. Trusted operating system: Operating systems that fulfill security requirements as in a TCB. Trusted OS Firmware Hardware Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 5 Hardware and Firmware Security Component Description Basic Input/Output System and Unified Extensible Firmware Interface. BIOS/UEFI Both firmware interfaces to initialize hardware for system boot. UEFI is more modern and secure. Root of trust enforces trusted computing through encryption. Root of trust and HSM Hardware security module is a physical device that implements root of trust. Trusted Platform Module. TPM Secure cryptoprocessor that generates keys for use in TCB. Secure boot is a UEFI feature that prevents malicious processes from executing Secure boot and during boot. remote attestation Cryptographic hash taken of boot loader to ensure integrity. TPM can sign hash for third-party verification (remote attestation). Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 6 Security Baselines A collection of host security settings. Compare the baseline to the security settings of hosts in your network. Baselines are crucial for streamlining the host hardening process. Don't harden hosts in a vacuum; use the baseline as a security template. Each baseline will differ based on the computer's function and operating system. Server Baseline Configuration Compare Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 7 Software Updates Update Type Description Patch Small unit of code meant to address a security problem or functionality flaw. Hotfix A patch issued on an emergency basis to address a specific security flaw. Rollup A collection of previously issued patches and hotfixes. A large compilation of system updates that can include functionality Service pack enhancements and any prior patches, hotfixes, and rollups. Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 8 Application Blacklisting and Whitelisting Blacklisting: Preventing the execution of all apps that are on a list of unauthorized apps. Drawback: You can't block malicious apps you haven't identified. Whitelisting: Preventing the execution of all apps that aren't on a list of authorized apps. Drawback: Creation and maintenance of list increases overhead. Blocked Allowed Apps Apps Ransomware.exe Word.exe RAT.exe Outlook.exe DDoS.exe Chrome.exe Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 9 Logging The process of an operating system or application recording data about activity on a computer. Logs stored as text files with varying levels of detail. Highly detailed logging can consume excessive storage space. Logs can reveal information about a suspected attack. Restrict access to logs and back them up routinely. Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 10 Auditing Performing an organized technical evaluation of a system's security to ensure it is in compliance. Similar to a security assessment. Auditing is focused more on ascertaining if the system meets a set of criteria. Criteria come from laws, regulations, standards, and organizational policy. Most audits are performed by third parties. Example: External auditor checks to see if online merchant is in compliance with PCI DSS. Commonly associated with reviewing log files. Can also test passwords, scan firewalls, review user permissions, etc. Audits contribute to the overall hardening process. Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 11 Anti-malware Software Software that scans systems and networks for malicious software. Most scan for known malware. Some can scan for unknown malware. Install anti-malware on all computers. Keep anti-malware apps updated. Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 12 Types of Anti-malware Software Type Description Scans for code matching virus patterns (signature-based). Antivirus Can actively monitor system for virus activity (behavior-based or heuristic). Anti-spam filters detect key words used in spam messages. Anti-spam Can also block based on IPs of known spam sources. Designed specifically to identify and stop spyware. Anti-spyware Functionality may come packaged with antivirus software. Prevents websites from popping up elements in the browser. Pop-up blocker Most browsers include this functionality. Not specifically designed for anti-malware. Host-based firewalls Can still block network traffic used by malware. Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 13 Embedded Systems Hardware and software systems that have a specific function within a larger system. Larger systems include everything from home appliances to industrial machines. Embedded systems are found in all kinds of technology and industries. Usually don't have the complexity of a PC or server. Their dedicated purpose often means less sophisticated architecture. May use an all-in-one microcontroller rather than discrete CPU/memory components. May not have a GUI. May still have an OS. Larger system may be user-friendly even if embedded system is not. Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 14 Security Implications for Embedded Systems System Security Implications Smart devices are electronic devices with network connectivity. Smart devices Smart devices have autonomous computing properties. Security is an afterthought or not thought of at all. IoT devices are objects (electronic or not) connected to the Internet. IoT IoT devices use embedded electronic components. Like smart devices, security is very poor or non-existent. IP cameras are easier to manager than CCTV. Camera systems Susceptible to standard networking risks. Can use encryption protocols to protect recorded data. Medical devices, ATMs, vehicles, etc. Special purpose systems Security depends on purpose and functionality of systems. Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 15 Virtualization Virtualization: Creating a simulation of a computing environment. Simulates hardware and software. You create virtualized computers to run on physical computers. Example: Virtual Linux computer running on physical Windows Server. Virtual machine: A virtualized computer. Advantages: Easier to manage. Cost-efficient. Power and resource-efficient. Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 16 Hypervisors The layer of software that separates the virtual software from the physical hardware it runs on. Manage resources on physical host and provide them to the virtual guests. Provide flexibility and increased efficiency of hardware use. Two basic types: Type I Run directly on host's hardware. Type II Run as an application on top of host operating system. Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 17 Hypervisors (Cont.) Type I Type II Guest 1 Guest 2 Guest 1 Guest 2 OS OS OS OS Hypervisor Hypervisor Host OS Hardware Hardware Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 18 Cloud Computing Computing involving real-time communication over large distributed networks to provide various resources to a consumer. Typically relies on the Internet. "The cloud" refers to resources available on a particular service. Examples: Business sites, consumer sites, storage services, etc. You can access and manage resources from anywhere. Storage method and location are not visible to the consumer. Cloud computing uses virtualization to provision resources. Security implications are similar. Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 19 Cloud Deployment Models Deployment Model Description Usually distributed by a single entity over a private network. Private Enables entities to exercise greater controller over services. Geared toward banking and governmental services. Done over the Internet offering services to general consumers. Public Pay-as-you-go subscriptions and lower-tier services for free. Security is a concern for anything traversing the Internet. Multiple entities sharing ownership of a cloud service. Community Done to pool resources for a common concern. Combines two or more of the previous models. Hybrid Example: Private cloud for internal personnel, public for customers. Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 20 Cloud Service Types Service Description SaaS uses cloud to provide apps to users. Software Eliminates installation and purchasing of specific versions. Examples: Office 365, Salesforce, G Suite. PaaS provides virtual systems to customers. Platform Can include operating systems and application engines. Examples: Oracle Database, Azure SQL Database, Google App Engine. IaaS provides access to infrastructure needs. Infrastructure Includes data centers, servers, networking, etc. Examples: Amazon EC2, Azure VMs, OpenStack. SECaaS provides resources for security purposes. Security Includes authentication, anti-malware, intrusion detection, etc. Examples: Cloudflare, FireEye, SonicWall. Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 21 Mobile Device Connection Methods Connection Method Description Wireless connection to transceivers in fixed locations across the world. Cellular Used primarily by mobile phones for voice and text, but also data. Uses transport encryption, but users have little control over security. Wi-Fi networks provide local area connections for mobile devices. Wi-Fi Can incorporate encryption and authentication if using secure protocols. Organizations have more control over Wi-Fi than cellular. Wireless technology primarily used for short-range communications. Bluetooth Example: Wireless headset connected to a nearby smartphone. Susceptible to bluejacking and bluesnarfing. Wireless communication in very close proximity. NFC Used primarily for in-person data exchange. Susceptible to RF signal interception and DoS flooding. Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 22 Mobile Device Management The process of tracking, controlling, and securing an organization's mobile infrastructure. MDM solutions are often web-based platforms with a centralized console. You can enforce security on all mobile devices at once, rather than individually. Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 23 Mobile Device Security Controls Security Control Description Option should be enabled with strict requirements for unlock. Screen lock Can only be accessed by code user has set. Strong passwords and User should set up strong password/PIN for lock screen. PINs Full device encryption Data on devices should be encrypted to protect sensitive data. Remote wipe: remotely delete sensitive data if device is lost or stolen. Remote wipe/lockout Remote lockout: remotely trigger lock screen if device is lost or stolen. Geolocation and Geolocation: tracking the geographic location of devices. geofencing Geofencing: creating geographic boundaries for device functionality. Uphold principle of least privilege. Access controls Consider context-aware authentication. Application and content Set restrictions on what apps/content user can access. management Consider blacklisting or whitelisting apps. Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 24 Mobile Deployment Models Deployment Model Description Organization is sole owner of devices and has full management control. Corporate-owned Most secure. May be too strict to be feasible. Bring your own device—employees own and manage personal devices. BYOD Becoming increasingly common. Introduces security issues with new risks and questions of ownership. Choose your own device—employees choose from a vetted list of devices. CYOD Employee still in control of device. Tries to mitigate BYOD vulnerabilities but not be too strict. Corporate-owned, personally enabled. COPE Employees can still use devices for personal reasons. Organization still has some control, which can prompt privacy concerns. Virtual mobile infrastructure—similar to VDI but for mobile OSes. VMI Employees connect to VMs running mobile OSes. Organization retains control during work; employee regains control after work. Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 25 Software Development Lifecycle The practice of developing software across a lifecycle from initial planning to final deployment and obsolescence. Each developed app goes through distinct phases of this lifecycle. You must integrate security into each phase of the lifecycle. Initiate Design Implement Test Deploy Dispose Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 26 Secure Coding Techniques Technique Description Code that executes but produces results not used by app. Limiting dead code Remove dead code to minimize risk. Server side should validate input and execute code not meant for user. Server-side vs. client-side Client side should handle execution of GUI-based code. Limit how much data the app exposes to users. Limiting data exposure Especially important in systems that provide access to multiple users. Some languages manage memory automatically (Python, Java, etc.). Memory management Some languages require manual management (C, C++, etc.). Pre-compiled database statements used for input validation. Stored procedures Deny user access to underlying data. Copyright (c) 2018 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 27